Security Risk Manager

About Company

The company, publicly traded on the NYSE, reports annual revenues of approximately $450 million and holds a market capitalization near $3.5 billion. As a member of the S&P 600 Cosmetics Index since 2004, it has steadily expanded its brand portfolio. Today, it offers a diverse range of cosmetics, including Well People, a clean beauty label, and Keys Soulcare, a lifestyle beauty brand developed in collaboration with Alicia Keys. Its products are widely available online and at major U.S. retailers, with a steadily growing international presence.

Position Summary

We are seeking a highly skilled and proactive Security Risk Manager to join our growing security team. You will be responsible for assessing, monitoring, and mitigating information security risks associated with third-party vendors and service providers. This role ensures vendor relationships comply with organizational security policies, industry regulations, and best practices to protect sensitive data and systems.

Key Responsibilities

1. Conduct comprehensive security risk assessments internally and of third-party vendors, including cloud providers, SaaS vendors, and IT service providers.
2. Evaluate internal and third-party security controls, policies, and compliance with frameworks such as NIST, ISO 27001, SOC 2, GDPR, HIPAA, and PCI-DSS.
3. Perform due diligence reviews, including security questionnaires, audits, and contract reviews.
4. Identify, document, and prioritize risks related to vendor access, data handling, and system integrations.
5. Work with procurement and legal teams to ensure security requirements are included in vendor contracts and SLAs.
6. Prepare risk reports for senior leadership, highlighting key vendor risks and mitigation strategies.
7. Communicate security expectations to vendors and internal stakeholders.
8. Maintain a centralized vendor risk repository with up-to-date documentation.
9. Stay updated on emerging threats, regulatory changes, and industry best practices.
10. Enhance vendor risk assessment processes and tools for efficiency and effectiveness.
11. Cross-train team members on risk management principles.
12. Actively participate in the broader corporate security efforts, including infrastructure security, end-user training, and vulnerability management

Required Qualifications

1. Bachelor’s degree in Information Security, Cybersecurity, Risk Management, or related field.
2. 5+ years of experience in IT risk management, vendor risk assessment, or third-party security evaluations.
3. Strong knowledge of security frameworks (NIST, ISO 27001, SOC 2, GDPR, etc.).
4. Experience with vendor risk assessment tools
5. Strong GRC (Governance, Risk, and Compliance) platform knowledge.
6. Familiarity with cloud security, data privacy laws, and contractual security clauses.
7. Strong communication and interpersonal skills, with the ability to collaborate effectively with technical and non-technical stakeholders.

Preferred Qualifications

1. Industry certifications such as CISA, CRISC, CTPRP
2. Experience in regulated industries (finance, healthcare, government).
3. Knowledge of supply chain security risks and zero-trust architecture principles
4. Experience with contract reviews to ensure security clauses (data protection, breach notification, audit rights).
5. Knowledge of continuous monitoring strategies for vendors.